You can configure a context-aware or an application-based firewall rule by defining layer 7 service objects. A layer 7 context-aware firewall rule can intelligently inspect the content of the packets.
This example explains the process of creating a layer 7 firewall rule with APP_HTTP service object. This firewall rule allows HTTP requests from a virtual machine to any destination. After creating the firewall rule, you initiate some HTTP sessions on the source VM that passes this firewall rule, and turn on flow monitoring on a specific vNIC of the source VM. The firewall rule detects an HTTP application context and enforces the rule on the source VM.
- Security administrator
- NSX administrator
- Security engineer
- Enterprise administrator
- In the vSphere Web Client, navigate to .
- (Optional) Add a firewall rule section to group context-aware firewall rules.
- Click Add Rule.
- Create the context-aware firewall rule.
The following figure shows the firewall rule that you created.
- Enter a rule name to identify this rule. For example, enter L7_Rule_HTTP_Service.
- In the Source column, click the Edit () icon.
The Specify Source page opens.
- From the Object Type drop-down menu, select Virtual Machine.
- From the Available Objects list, select the virtual machine. Move this object to the Selected Objects list, and then click Save.
- In the Destination column, retain the default value as Any.
- In the Service column, click the Edit () icon.
The Specify Service page opens.
- From the Object Type drop-down menu, select Services.
- From the Available Objects list, select App_HTTP service. Move this service to the Selected Objects list, and then click Save.
- Make sure that the firewall rule is enabled, and the rule action is set to Allow.
- Click Publish to publish the firewall rule configuration.
- Log in to the console of your source VM and initiate the wget Linux command to download files from the web using HTTP.
- On the vNIC of the source VM, turn on live flow monitoring to monitor traffic flows on the source VM.
- Navigate to .
- Select a particular vNIC on the source VM. For example, select l2vpn-client-vm-Network adapter 1.
- Click Start to view the flow monitoring data.
- In the following figure, the flow monitoring data shows that the firewall rule has detected the application (HTTP) context. Rule 1005 is enforced on source VM (10.161.117.238) and traffic flows to destination IP addresses 220.127.116.11 and 18.104.22.168.
- Return to the Firewall page, and change the rule action to Block.
- Go to the console of the source VM and run the wget command again.
Observe that the HTTP requests are now blocked on the source VM. You should see an error in the VM console that says something like this:
HTTP request sent, awaiting response ... Read error (Connection reset by peer) in headers Retrying.The following figure shows a flow with the application (HTTP) context detected and blocked on the vNIC of the source VM (10.161.117.238).
What to do next
To know about other scenarios where you can use context-aware firewall rules, see Context-Aware Firewall Scenarios.